Smart Bulbs can be Hacked to Hack into your Household

After performing a Penetration Testing session on a smart bulb, the Tapo L530E by TP-Link, we found four vulnerabilities that allow you to perform five different attacks

Work

"Smart Bulbs can be Hacked to Hack into your Household" is the description of a Penetration Testing session on a smart bulb, the Tapo L530E by TP-Link. During the session we found four vulnerabilities that allow to perform five attacks. Due to the authentication not well accounted for and the confidentiality not sufficiently guaranteed by the implemented cryptographic measures, the attacker can operate at will all devices of the Tapo family that the user may have on her Tapo account and learn the victim's Wi-Fi password, thereby escalating his malicious potential considerably.

Attacks

  • Attack scenario 1 - Fake Bulb Discovery messages generation.

    The attacker discovers the secret used by the smart bulb and Tapo application to authenticate discovery messages from compatible devices connected to the network, so he can authenticate fake messages.

  • Attack scenario 2 - Password exfiltration from Tapo user account.

    The attacker authenticates himself as the smart bulb with the Tapo application, so he can obtain the credentials used by the Tapo application with the smart bulb. The attacker can obtain the password and email hash of the victim's Tapo account.

  • Attack scenario 3 - MITM attack with a configured Tapo L530E.

    The attacker performs a MITM attack on the communication between the smart bulb and the Tapo application, so he is able to violate the confidentiality of all messages belonging to the communication.

  • Attack scenario 4 - Replay attack with the Smart bulb as victim.

    The attacker replicates old messages to both the smart bulb and the Tapo application, so he can arbitrarily change the state of the smart bulb.

  • Attack scenario 5 - MITM attack with an unconfigured Tapo L530E.

    The attacker performs a Wi-Fi deauthentication attack in order to force the user to reset the smart bulb, so he can perform a MITM attack and obtain the SSID and password of the victim's local network and the credentials used by the victim to authenticate with the Tapo application. The credentials consist of the victim's Tapo account email and password.

Responsible Disclosure

Complete Timeline of the Responsible Disclosure Process

  • June 2022 Research on Tapo L530E starts!

  • 25th February 2023 We start the responsible disclosure process by reporting all found undesirable behaviours and potential vulnerabilities to TP-Link, via their TP-Link Product Security Advisory. Our report includes the lack of authentication of the smart bulb with the Tapo app, the hard-coded, short shared secret, the lack of randomness during symmetric encryption, the insufficient message freshness.

  • 1st March 2023 First response from TP-Link. TP-Link handled this vulnerability without delay, responded positively to the vulnerability report, and started the validation fix as soon as possible.

  • 11th April 2023 After a first review of the report, TP-Link does not object to our decision to submit our research paper to venues for publication.

  • 23rd April 2023 "Smart Bulbs can be Hacked to Hack into your Household" paper is accepted to the SECRYPT 2023 conference!

  • 16th June 2023 TP-Link has confirmed a valid solution and is releasing new firmwares to fix the issue.

  • 19th June 2023 Agreed deadline for the disclosure.

  • 12th July 2023 Vulnerability is disclosed via publication of a paper on SciTePress.

Paper

Smart Bulbs can be Hacked to Hack into your Household

Smart Bulbs can be Hacked to Hack into your Household was reported by Davide Bonaventura (Università degli Studi di Catania), Sergio Esposito (Royal Holloway University of London) and Giampaolo Bella (Università degli Studi di Catania). The paper is published on the 20th SECRYPT International Conference on Security and Cryptography (SECRYPT 2023)'s proceedings.

Davide Bonaventura

Master Student at Università degli Studi di Catania

Visit linkedin
Sergio Esposito

PhD Student at Royal Holloway University of London

Visit homepage
Giampaolo Bella

Associate Professor (with Italian MIUR habilitation as Full Professor) at Università degli Studi di Catania

Visit homepage

CVE

Common Vulnerabilities and Exposures

CVE Entries assigned to the vulnerabilities described in our paper, Smart Bulbs can be Hacked to Hack into your Household, are the following:

Q&A

Questions and Answers

Most likely. We have tested the attacks using a smart bulb Tapo series L530 with Hardware Version 1.0.0 and Firmware Version 1.1.9, and a Tapo application Version 2.8.14. Most likely the attack also works with other versions prior to the version containing the fix.

All Tapo devices using the described protocol. Vulnerabilities are not implementation-oriented, but design-oriented. This means that all devices using the same protocol used by the Tapo L530E are vulnerable to the described attacks.

Change the password of both your Tapo account and your Wi-Fi network. This allows you to disconnect all devices connected without your consent to your Tapo account or/and your Wi-Fi network.

Make sure that only devices known to you have access to the Wi-Fi network your smart bulb is connected to. The attacker can only carry out attacks when he is able to communicate directly with the smart bulb.
When you reset your smart bulb, pay attention to the Wi-Fi network you connect to complete the configuration process. The network you are connected to may be controlled by the attacker and not the network started by your smart bulb.
Make sure you do not disclose your tapoId. The tapoId allows your Tapo application to recognize the devices associated with your account. The attacker through it is able to authenticate to your Tapo application as a device associated with it.

We are not aware of the vulnerabilites being exploited in the wild.

Yes. TP-Link has released a new version both of firmware and application that is attacks resistant. Make sure you update both.